{ config, pkgs, inputs, ... }:

{
  imports = with inputs.self.modules; [
    ./disko.nix

    users.aya
  ];

  roles = {
    desktop = "gnome";
    tpm2.enable = true;
  };

  boot = {
    loader = {
      # systemd-boot.enable = true;
      timeout = 1;
    };
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
    };
    initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
    kernelModules = [ "kvm-amd" ];
    kernelPackages = pkgs.linuxPackages_6_12;
    kernelParams = [ "tsc=unstable" ];
  };

  environment.persistence."/system/persist" = {
    directories = [
      config.boot.lanzaboote.pkiBundle
      "/etc/NetworkManager"
      "/var/db/sudo"
      "/var/lib"
      "/var/log"
    ];
    files = [
      "/etc/machine-id"
      { file = "/root/.ssh/id_ed25519";
        parentDirectory = {
          defaultPerms.mode = "0700";
          mode = "0700";
        };
      }
    ];
  };

  fileSystems."/system".neededForBoot = true;

  age = {
    identityPaths = [ "/system/persist/root/.ssh/id_ed25519" ];
    secrets = with inputs.self.modules; {
      higan-wg0.file = secrets.higan-wg0;
      yama-wg0-higan.file = secrets.yama-wg0-higan;
    };
  };

  networking = {
    hostName = "higan";
    networkmanager.enable = true;

    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.0.0.3/24" ];
        listenPort = 51820;
        privateKeyFile = config.age.secrets.higan-wg0.path;
        peers = [
          { # yama
            publicKey = "Tan9IHvGvzeHFBSg3ZnhqNuJFYtAB+hfybbh9SPWRwk=";
            presharedKeyFile = config.age.secrets.yama-wg0-higan.path;
            endpoint = "bad.net.ru:51820";
            allowedIPs = [ "10.0.0.1/32" ];
            # dynamicEndpointRefreshSeconds = 10;
          }
        ];
      };
    };
  };

  powerManagement = {
    powerDownCommands = ''
      ${pkgs.kmod}/bin/modprobe -vr rtw88_8822ce
    '';
    resumeCommands = ''
      ${pkgs.kmod}/bin/modprobe -v rtw88_8822ce
    '';
  };

  services = {
    btrfs.autoScrub = {
      enable = true;
      fileSystems = [ "/system" ];
    };
    dnsmasq.enable = true;
    keyd = {
      enable = true;
      keyboards.internalKeyboard = {
        ids = [ "0001:0001:" ];
        settings.main."102nd" = "layer(shift)";
      };
    };
    logind = {
      lidSwitch = "suspend-then-hibernate";
      lidSwitchExternalPower = "suspend";
    };
    tlp = {
      enable = true;
      settings = {
        RUNTIME_PM_DRIVER_DENYLIST = [ "rtw_8822ce" ];
        STOP_CHARGE_THRESH_BAT0 = 1;
      };
    };
    yggdrasil.enable = true;
  };

  systemd.sleep.extraConfig = ''
    SuspendState=freeze
    HibernateDelaySec=20m
  '';

  zramSwap.enable = true;
}
